Link to home
Start Free TrialLog in
Avatar of Eric Greene
Eric GreeneFlag for United States of America

asked on

Inter-VLAN routing on a 1711

I have a Cisco 1711 router running ios 12.2(7r) with a 4-port ethernet WIC.  

I have a bonded T1 feed coming in on FA0.  I started with that and everything works great.  My L2L tunnels are up and running, I can go to the internet; all is well.

Now, I have this chinky little DSL connection I want to use for an "internet" feed for my users.  I don't want them bogging-down my expensive business connections with useless traffic.

FA1 is on VLAN1 and is the primary inside interface

FA2 is on VLAN2 and is set as the public IP of the DSL service.

I want all internet traffic to go out through FA2, except for my L2Ls.  Where do I begin?
Avatar of naderz
naderz
Flag of United States of America image

One way would be to configure a default route towards the DSL service and specific static routes towards the L2Ls. That should do it.
Avatar of Eric Greene

ASKER

That makes sense.  Would you be willing to help me understand in-depth?  For example, is this what you mean?

FA0:       1.2.3.4/29
VLAN1:  192.168.1.0/24
VLAN2:  5.6.7.8/29
L2L1:     192.168.2.0/24
L2L2:     192.168.3.0/24
ip route 192.168.2.0 255.255.255.0 1.2.3.3
ip route 192.168.3.0 255.255.255.0 1.2.3.3
ip route 0.0.0.0 0.0.0.0 5.6.7.7

Open in new window

yeap, you got it.
don't forget to add route for L2L peer ip address toward FA0.

Regards,
Okay, that didn't quite work.  I am uploading my current config.  I did some global search and replace to obscure vital data -- but hopefully not to the detriment of accuracy.

With this config, I couldn't talk to anything.  I could ping 8.8.8.8 from the router without any trouble.  But, I couldn't talk to anything from my computer on the "192.168.2.xxx" network.
CUSTOMER-1721-UPLOADABLE.TXT
peer 1 and peer 2 are outbound toward 15.15.15.14 which is DSL connection. L2L traffic are agree to forward DSL connection? If not add static route toward T1 connection.

I don't think "ip route 192.168.1.0 255.255.255.0 14.14.14.13" no need as 192.168.1.x is inside interface and connected interface as well.

Hope this help,
Regards
My bad.  One small error in obfuscation changes everything.

the "ip route" statement you had is right, but the VLAN1 interface should be 192.168.2.xxx instead of 192.168.1.xxx

So the route is right, but my "changes" were wrong on the VLAN1 interface.

I am sorry.  Can you review again and tell me if that changes anything?
CUSTOMER-1721-UPLOADABLE.TXT
You do have NAT policy / exempt nat policy for T1 connection . There is no NAT policy for DSL connection. Traffic toward DSL connection need public ip address right? ( Depend on DSL provider). You can ping 8.8.8.8 from router. coz router using DSL' interface ip address as source.

If so, you need nat policy for DSL. Try below.

interface Vlan2
 description DSL Connection
 ip address 15.15.15.15 255.255.255.248
 ip nat outside

ip nat inside source list NAT_DSL interface Vlan2 overload  [Edited]

ip access-list extended NAT_DSL
 permit ip 192.168.2.0 0.0.0.255 any.

I am afraid that your L2L connection is up or not. Pls check "show crypto isakmp sa"

Hope this help,
Regards,
Thank you.  I'm trying that now.  Before I make it official, I have a clarifying question:

You have me doing an interface FA0 overload, but the DSL connection is on VLAN2 -- is that intentional?

Oh, and my L2Ls have been up without any trouble.
Sorry ccbb_cs. That was my topo/past error. I just edited. Please review again.
That didn't work for me.  I was unable to get to the internet until I removed the ip route statement and put the old one back in.

I might upgrade my account here and send you the config privately -- I'll just send you a copy with no passwords.
ohh removed default route towared DSL connection?
To be clear; in order to get it to work again, I had to do the following:

Tried just adding the other default route back and failed:
ip route 0.0.0.0 0.0.0.0 14.14.14.13

Open in new window

Tried doing a no on the new route but failed
no ip route 0.0.0.0 0.0.0.0 15.15.15.14

Open in new window

Had to also no out the nat assignment to vlan2
no ip nat inside source list NAT_DSL interface Vlan2 overload

Open in new window

Final Result
ip route 0.0.0.0 0.0.0.0 14.14.14.13
no ip route 0.0.0.0 0.0.0.0 15.15.15.14
no ip nat inside source list NAT_DSL interface Vlan2 overload

Open in new window

ccbbc_cs: Sorry I could not check on this yesterday because of production issues. Would you please post a scrubbed version of the running-config? I see some issues with NAT but need to confirm the running-config.

Also, on your L2L connections, are these your sites also or vendors/partners?
Naderz, one L2L is a vendor site, the other is our main office.

Please forgive me for taking so long to get back to you all.  The four horsemen of the Apocalypse have been doing laps in my office and fires had to be put out.

I have attached the most recent version of the config and it has been scrubbed.  I also included a legend at the top to keep things straight for all of us.

Just to recap, I'm trying to make sure that all L2Ls go out on the bonded T1, and all web browsing/email/ other traffic goes out on the DSL.  I am having difficulty understanding what I have done wrong.  

At this point, the configuration has taken numerous forms, so I may have some things jacked-up.  We are able to get to the internet and have communication with all L2Ls, but I can't get anything to go out the DSL connection.
1721-Scrubbed.txt
No worries.
I have seen the horsemen. Not good. But, that's what we signed up for :>

If all is working except for traffic to DSL, then I see two things: NAT & routing.

I think the issues you were experiencing above with different variations is because of NAT. You have the same source addresses going out to two different destinations via two different interfaces. This requires a little more elaborate configuration.

I came up with this after digging in old notes. Please review, and we can discuss. This is in addition to what you have now. I have not included your existing configuration.

interface Vlan2
 description DSL Connection
 ip address 18.18.18.162 255.255.255.248
 ip nat outside

!

no ip route 0.0.0.0 0.0.0.0 15.15.15.33
ip route 0.0.0.0 0.0.0.0 18.18.18.16? (need DSL termination IP address)
ip route 192.168.1.0 255.255.255.0 15.15.15.33
ip route 21.21.21.0 255.255.255.0 15.15.15.33

ip nat inside source route-map dsl-nat interface Vlan2 overload
ip nat inside source route-map vendor-nat interface FastEthernet0 overload
!


access-list 120 permit ip 192.168.2.0 0.0.0.255 any
!
!
route-map dsl-nat permit 10
 match ip address 120
 match interface Vlan2
!
route-map vendor-nat permit 10
 match ip address 120
 match interface FastEthernet0

The above may need a little tweaking, but it should do it.
Thank you, Naderz.  I won't be able to test this until this evening.  As soon as I do, I'll post the results.
Very good. one variation you may want to consider is using the fastethernet connecting to the DSL and not vlan2.
I tried that to begin with, but there seemed to be a limitation in assigning the ACL to the FA2 interface.  I'll try again though.
Just wanted to give an update.  I have not yet been able to get to the remote site to apply the prescribed fix.  I will be there this weekend.  Don't know what the rules are about open questions, but I wanted you to know where I was at with this.
No worries. I think that's fine. Good luck.
Okay, naderz, I tried the following, but it did not work quite the way we had hoped.  Hence the tweaking you said we might need to do.
interface Vlan2
 description DSL Connection
 ip address 18.18.18.162 255.255.255.248
 ip nat outside

!

no ip route 0.0.0.0 0.0.0.0 15.15.15.33
ip route 0.0.0.0 0.0.0.0 18.18.18.16? (need DSL termination IP address)
ip route 192.168.1.0 255.255.255.0 15.15.15.33
ip route 21.21.21.0 255.255.255.0 15.15.15.33

ip nat inside source route-map dsl-nat interface Vlan2 overload
ip nat inside source route-map vendor-nat interface FastEthernet0 overload
!


access-list 120 permit ip 192.168.2.0 0.0.0.255 any
!
!
route-map dsl-nat permit 10
 match ip address 120
 match interface Vlan2
!
route-map vendor-nat permit 10
 match ip address 120
 match interface FastEthernet0 

Open in new window

However, when I did this, I was able to ping the hosted LoB app domain by name from the router and it translated it to IP and was 100% successful in communicating.  Still, when I tried to browse to the same domain from a workstation, I couldn't get there.

Thoughts?
OK. So, pinging the hosted LoB was not doable before and is doable now, correct? If yes, then that is positive.

Questions:

1. Can you ping a host at LoB by IP address from a workstation?

2. What is the IP address of the DNS used by workstation? Is it at LocA?

2. Can you get on the Internet and if yes, can you confirm your address is 18.18.18.62? You can use a site like whatismyipaddress.com or speedtest.net

3. Can you post results of:

show access-list 120

show ip nat
One more test: I would test using the FE2 interface rather than the Vlan2. With these modifications:

!
 no interface Vlan2
!

interface FastEthernet2
 description DSL Connection
 ip address 18.18.18.162 255.255.255.248
 ip nat outside
!

no ip nat inside source route-map dsl-nat interface Vlan2 overload

ip nat inside source route-map dsl-nat interface FastEthernet2 overload
!
!
route-map dsl-nat permit 10
 match ip address 120
 no match interface Vlan2
 match interface FastEhternet2
!
ASKER CERTIFIED SOLUTION
Avatar of naderz
naderz
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
I couldn't do the second ip route out to FastEthernet2 because on the 1700 4-port WIC you can't assign IP to th layer 2 interface.  You have to actually put the port in a vlan and do it that way.

After doing that, I still came up empty.  This is intense for me, and I called someone in over the weekend who works with Cisco routers and he was unable to get it figured out.

I'm going to give it one more try tonight, then I'll close the question regardless of the outcome.
The first route-map I had posted should have done the trick. Any feedaback on what did not work?
Questions:

1. Can you ping a host at LoB by IP address from a workstation?

2. What is the IP address of the DNS used by workstation? Is it at LocA?

3. Can you get on the Internet and if yes, can you confirm your address is 18.18.18.62? You can use a site like whatismyipaddress.com or speedtest.net

3. Can you post results of:

show access-list 120

show ip nat
I have to table this for a while.  Since I can only go once per week to this location to work on it, I have booked some formal Cisco router training and I'll take another stab at it.

I'm fairly certain you're right there naderz, but I just can't provide the back-and-forth the way I need to.  I do apologize.  Not sure what to do about points and such from here.
no worries. I hope that all goes well.